My previous article covered part of Scott Howard's presentation on ICS Security for Oil and Gas applications from this year's Design Seminar. In that article, we reviewed some of the cyber security fundamentals discussed by Scott.
For example, we examined the fact that most cyber threats are unintentional and originate from within the control network. We also looked at the fact that a perimeter defense is not sufficient and that IT solutions are not appropriate on the plant floor.
Instead, what's needed is Defense in Depth, that is, multiple layers of defense that work together to prevent network incidents or contain them if they do occur. A key best practice for Defense in Depth is to implement the zone and conduits model as defined in the ISA IEC 62443 standard. While not a regulation, this standard provides practical guidance that leads to more robust cyber security.
Today, we will take a closer look at zones and conduits and then review how they were be implemented in three oil and gas applications.
Attendees in a lab session at the 2014 Belden Industrial Ethernet Infrastructure Design Seminar.
ISA IEC 62443 in a Nutshell
There is a lot to ISA IEC 624431, but one of the main concepts is the zones and conduits model. This model provides a framework for network segmentation that prevents cyber security incidents from spreading.
In brief, a security zone groups logical or physical assets that share common security requirements. For example, your network could have a controller zone and a supervisory zone. Each zone has a defined border that can be either logical or physical and delineates which elements are included and which are excluded.
Communications between zones must be via a defined conduit. A conduit is any pathway of communication that enters or exits a security zone.
The conduits are the perfect "choke points" where we can implement security measures, such as industrial firewalls, to ensure that only the traffic needed by the plant is allowed to pass. These security measures compensate for the fact that the devices they protect have insufficient built-in security.
In addition, focusing on conduit mitigation is typically far more cost effective than having to upgrade every device or computer in a zone to meet security requirements. In fact, it is often not even feasible or possible to upgrade industrial devices, such as PLCs and RTUs, as it can take years for updates to become available for them. Furthermore, such updates can often only be applied during a plant shutdown – an infrequent occurrence, which may not be easy to line up with needed security updates.
Let's take a look at how zones and conduits can be used to protect three different oil and gas applications.
Industrial Cyber Security for an Offshore Platform
An offshore platform is a complex facility with many networked devices. In considering how to approach cyber security related to the oil and natural gas processing operation, a few core principles were determined:
- PLCSs are critical assets
- PCs (especially those with humans in front of them)are threat sources
- Networks we don't control are untrusted
Using these principles, a preliminary zones and conduits analysis was developed.
An Offshore Platform zones and conduits diagram. This first pass analysis highlights the issue of how tohandle a device that connects to two networks.
While it was straight forward to determine many of the zones, a question arose as to how to handle the I/O server that connected to both the business network and the control network.
The solution was to create a "DMZ" – that is a "De-Militarized Zone" – which allows dual access to a shared resource, but not direct access through it. This can be accomplished using two 2-port firewalls or one multi-port device. The final network diagram is available in the presentation available for download at the end of this article.
In addition, a more detailed Application Note on this project is also available.
Zones and Conduits in a Refinery
Like the offshore platform, an oil refinery is a complex operation and in many of them more than one process is underway at any given time. In our example, each process has its own master zone, with supervisory, basic control and process zones within the master.
After a first pass at determining zones and conduits, the proposed plan was reviewed again and a risk analysis was performed. This highlighted the fact that one of the major risks that could lead to process stoppage was the accidental or intentional tripping of an emergency shutdown.
Based on this realization, the zones and conduits were revised to include separate Safety Integrated System (SIS) zones from the process control system zone. The final zone and conduit plan is shown in the diagram below.
The cyber security solution for a Refinery includes separate zonesfor the Safety Integrated System (SIS).
A point you are likely interested in is how much it cost to implement the cyber security measures for this facility. The network had >500 assets and the final plan included 17 zones and 22 conduits. The total cost for the
- risk analysis
- the supply of the conduits (18 were Tofino Security Appliances and four were already protected by IT)
was less than $200,000.
Cyber Security for Pipeline Infrastructure
A pipeline system includes the pipeline itself, pump stations and connections to one or more wide area networks (WANs). There are usually several points in the system where custody transfer of the resource occurs, with the resource being measured with flow meters. A simplified version of pipeline system is shown below:
A simplified diagram of a pipeline system showing custody transfer points.
One approach is to focus on securing the critical assets only. For example, a Tofino Security Appliance could be a conduit to the control network in the pump station.
Another approach would be to take into account the fact that flow meters connect to two networks for custody transfer and one of those networks is not a trusted network. In this situation, the flow meter could be put into a DMZ and all zones separated with a multi-port EAGLE firewall.Belden’s Tofino and EAGLE security devices have different strengths for providing plant-wide security. Here is a summary of their applications and strengths.
Industrial Cyber Security Does Not Have to be Hard
By following some straight-forward guidelines:
- Do a risk assessment
- Implement the best practice of zones and conduits as per ISA IEC 62443
- Carry out Defense in Depth throughout your facility
You will be on your way to securing your facility.Provided below is a link to download Scott's entire presentation, plus links to other materials you may find handy.
Do you think a zones and conduit approach will work in your facility? I look forward to hearing from you.
For more information on zones and conduits, see this earlier blog article. Note that it refers to the standard as ANSI/ISA 99 as that was its previous name.
ICS Security for Oil and Gas:
- Blog: Cyber Security for Oil and Gas Applications, Part 1 of 2
- Download webpage: Application Note – Implementing Cyber Security in Offshore Oil and Gas Platforms
Cyber Security Fundamentals:
- Blog: Cyber Threats Increase for U.S. Critical Infrastructure
- Blog: Defense in Depth Part 2: Layering Multiple Defenses
- Blog: Why Industrial Networks are Different than IT Networks (and What to do About It)
- Blog: Why SCADA Firewalls Need to be Stateful - Part 1 of 3
Malware and the Energy Sector:
- Blog: Cyber Threats Increase for U.S. Critical Infrastructure
- Tofinosecurity.com Blog: Summing up Stuxnet in 4 Easy Sections
- Blog: Flame – The Latest Super Worm Discovered in the Middle East Energy Industry
- Blog: Shamoon – Malicious Malware Harms 30,000+ Computers
- Blog: Industrial Networking: Easy Security Risk Assessment
- Blog: SCADA Security: Justifying the Investment
Belden Security Products
- Webpage: EAGLE One Security Router
- Webpage: EAGLE20-0400 and EAGLE30-0402 Multi-port Firewalls
- Webpage: Tofino Xenon